Cloudflare, Mozilla, Google, and Microsoft are building a shared protocol to tell real traffic from malicious bots — without asking users to prove they're human by clicking fire hydrants.
The initiative, called Private Access Control Tokens (PACT), attaches an anonymized "personhood" token to a user's browser. That token draws on "trusted information from contexts that have authentic relationships with people" — Cloudflare's phrasing — to vouch for legitimate access without exposing identity or requiring a login. The protocol is designed to cover not just humans but also authorized AI agents acting on behalf of a real user. Chrome, Firefox, and Edge collectively hold roughly 77% of browser market share, according to StatCounter, so a rollout here would reach most of the internet quickly.
The timing is pointed: bot traffic has already overtaken human HTTP requests, and AI agents are accelerating that shift. PACT's value proposition is that it raises the cost of malicious automation without adding friction for real users — no CAPTCHAs, no intrusive tracking, no abandoned shopping carts. Shopify is listed as a development partner, which signals that e-commerce abuse is a primary target use case.
The cynical read: browser-level token schemes have been proposed before, and the gap between "announced initiative" and "deployed standard" tends to stretch. PACT is still early-stage, and getting every major browser, CDN, and site operator to adopt a shared trust framework is exactly the kind of coordination problem that looks cleaner in a press release than in practice.